The triumvirate of automation, expressivity, and safety Chantal - - PowerPoint PPT Presentation

the triumvirate of automation expressivity and safety
SMART_READER_LITE
LIVE PREVIEW

The triumvirate of automation, expressivity, and safety Chantal - - PowerPoint PPT Presentation

Jul 18, 2023 184 likes •504 views

The triumvirate of automation, expressivity, and safety Chantal Keller October, 18 th 2016 The triumvirate ofautomation, expressivity, and safety Chantal Keller 1 / 18 Why so many provers? A wide range of applications, such as: deductive

slide-1
SLIDE 1

The triumvirate of automation, expressivity, and safety

Chantal Keller October, 18th 2016

The triumvirate ofautomation, expressivity, and safety Chantal Keller 1 / 18

slide-2
SLIDE 2

Why so many provers?

A wide range of applications, such as: deductive verification proofs of programs “mathematical” proofs formalizing metatheory induction/coinduction reasoning on/with computation . . .

The triumvirate ofautomation, expressivity, and safety Chantal Keller 2 / 18

slide-3
SLIDE 3

The triumvirate

The triumvirate ofautomation, expressivity, and safety Chantal Keller 3 / 18

slide-4
SLIDE 4

Interoperability: get the best of everything

But: at what cost/effort? how agnostic can the systems be? portability? automation?

The triumvirate ofautomation, expressivity, and safety Chantal Keller 4 / 18

slide-5
SLIDE 5

Interoperability: get the best of everything

But: at what cost/effort? how agnostic can the systems be? portability? automation? In this talk: three examples of interoperability between two systems A and B

The triumvirate ofautomation, expressivity, and safety Chantal Keller 4 / 18

slide-6
SLIDE 6
  • 1. Autarkic approach

system A The triumvirate ofautomation, expressivity, and safety Chantal Keller 5 / 18

slide-7
SLIDE 7
  • 1. Autarkic approach

system B system A The triumvirate ofautomation, expressivity, and safety Chantal Keller 5 / 18

slide-8
SLIDE 8
  • 1. Autarkic approach

system B system A goal The triumvirate ofautomation, expressivity, and safety Chantal Keller 5 / 18

slide-9
SLIDE 9
  • 1. Autarkic approach

system B system A goal The triumvirate ofautomation, expressivity, and safety Chantal Keller 5 / 18

slide-10
SLIDE 10
  • 1. Autarkic approach

system B system A goal

Ex: Ergo (A = Coq; B = subset of Alt-Ergo)

The triumvirate ofautomation, expressivity, and safety Chantal Keller 5 / 18

slide-11
SLIDE 11

Advantages and limitations

+ shared representation of formulas + correctness established once and for all + formal correctness of the algorithms

  • really hard to prove
  • really hard to maintain or improve (fixes the implementation)
  • not always possible

The triumvirate ofautomation, expressivity, and safety Chantal Keller 6 / 18

slide-12
SLIDE 12

Our criteria:

at what cost/effort?

statements? none proofs? huge

how agnostic can the systems be? not at all portability? none automation? medium

The triumvirate ofautomation, expressivity, and safety Chantal Keller 7 / 18

slide-13
SLIDE 13
  • 2. Skeptical approach

system A The triumvirate ofautomation, expressivity, and safety Chantal Keller 8 / 18

slide-14
SLIDE 14
  • 2. Skeptical approach

system A system B The triumvirate ofautomation, expressivity, and safety Chantal Keller 8 / 18

slide-15
SLIDE 15
  • 2. Skeptical approach

system A system B goal The triumvirate ofautomation, expressivity, and safety Chantal Keller 8 / 18

slide-16
SLIDE 16
  • 2. Skeptical approach

system A system B goal proof The triumvirate ofautomation, expressivity, and safety Chantal Keller 8 / 18

slide-17
SLIDE 17
  • 2. Skeptical approach

system A system B goal proof The triumvirate ofautomation, expressivity, and safety Chantal Keller 8 / 18

slide-18
SLIDE 18
  • 2. Skeptical approach

certificate system A system B goal proof preprocessor The triumvirate ofautomation, expressivity, and safety Chantal Keller 8 / 18

slide-19
SLIDE 19
  • 2. Skeptical approach

checker system A goal proof preprocessor system B certificate (correctness) The triumvirate ofautomation, expressivity, and safety Chantal Keller 8 / 18

slide-20
SLIDE 20

Examples

Tool System A System B metis Isabelle/HOL, HOL4, . . . metis sledgehammer Isabelle/HOL Z3, CVC4, vampire SMTCoq Coq ZChaff, veriT, CVC4 HOL Light ↔ Coq Coq HOL Light

The triumvirate ofautomation, expressivity, and safety Chantal Keller 9 / 18

slide-21
SLIDE 21

Advantages and limitations

+ correctness easier to establish + System B may evolve independently + pre-processing ⇒ efficiency and various provers + caching

  • no shared representation of formulas
  • if the certificate is false?
  • System B needs instrumentation

The triumvirate ofautomation, expressivity, and safety Chantal Keller 10 / 18

slide-22
SLIDE 22

Our criteria:

at what cost/effort?

statements? from small to huge proofs? small

how agnostic can the systems be? only certificates portability? great automation? medium to good

The triumvirate ofautomation, expressivity, and safety Chantal Keller 11 / 18

slide-23
SLIDE 23

Standards for certificates?

Propositions: LFSC veriT/SMTCoq TPTP Open Theory . . . Encodings between first-order formats not that hard

The triumvirate ofautomation, expressivity, and safety Chantal Keller 12 / 18

slide-24
SLIDE 24
  • 3. A priori approaches

Built-in interoperability: decide in advance the interoperability you want with System B build System A around it

The triumvirate ofautomation, expressivity, and safety Chantal Keller 13 / 18

slide-25
SLIDE 25

Example: F*

impure functional programming language rich type system: dependent and refined types (to express various properties on programs) type checking: designed to use the Z3 SMT solver Curry-Howard: programs are proofs

The triumvirate ofautomation, expressivity, and safety Chantal Keller 14 / 18

slide-26
SLIDE 26

Example: F*

impure functional programming language rich type system: dependent and refined types (to express various properties on programs) type checking: designed to use the Z3 SMT solver Curry-Howard: programs are proofs module Induction val u : nat -> Tot nat let rec u n = if n = 0 then 0 else u (n-1)

The triumvirate ofautomation, expressivity, and safety Chantal Keller 14 / 18

slide-27
SLIDE 27

Example: F*

impure functional programming language rich type system: dependent and refined types (to express various properties on programs) type checking: designed to use the Z3 SMT solver Curry-Howard: programs are proofs module Induction val u : nat -> Tot nat let rec u n = if n = 0 then 0 else u (n-1) val induction : n:nat -> Lemma (ensures (u n = 0)) let rec induction n = if n = 0 then () else induction (n-1)

The triumvirate ofautomation, expressivity, and safety Chantal Keller 14 / 18

slide-28
SLIDE 28

Example: Why3

The triumvirate ofautomation, expressivity, and safety Chantal Keller 15 / 18

slide-29
SLIDE 29

Our criteria:

at what cost/effort?

statements? from small to huge proofs? from small to huge

how agnostic can the systems be? good portability? bad automation? really good

The triumvirate ofautomation, expressivity, and safety Chantal Keller 16 / 18

slide-30
SLIDE 30

Summary

Criterion Autarkic Skeptical A priori effort (statements) ++ –

  • effort (proofs)

– ++

  • agnostic

– ++ + portability – ++

  • automation

+ + ++

The triumvirate ofautomation, expressivity, and safety Chantal Keller 17 / 18

slide-31
SLIDE 31

Take-away

The lessons for new systems: interoperability is hard! think from the very beginning that people may want to use your system differently certificates (possibly in a standard), API, . . .

The triumvirate ofautomation, expressivity, and safety Chantal Keller 18 / 18